Veeam Backup Library Loaded by Unusual Process

This detection identifies potential credential compromise attempts targeting Veeam Backup software. Attackers may attempt to load the Veeam.Backup.Common.dll library through unauthorized processes, such as PowerShell or unsigned executables, to decrypt and misuse stored credentials. These credentials can then be used to target backups, potentially leading to destructive operations like ransomware attacks. The rule focuses on flagging untrusted or unsigned processes loading the Veeam library, providing an indicator of possible malicious activity. The detection logic specifically looks for scenarios where PowerShell or other unusual processes load the Veeam backup library, which deviates from typical administrative or backup-related operations. This activity warrants further investigation to determine if it’s part of a credential access attempt.

Attack Chain

1. An attacker gains initial access to a Windows system through unspecified means.
2. The attacker uses PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or another unsigned process to execute malicious commands.
3. The malicious process attempts to load the Veeam.Backup.Common.dll library.
4. The Veeam.Backup.Common.dll library is loaded into the process memory.
5. The attacker leverages the loaded library to decrypt stored Veeam credentials.
6. Using the decrypted credentials, the attacker gains access to Veeam backups.
7. The attacker may then encrypt, delete, or exfiltrate the backups, leading to data loss or ransomware attacks.
8. The attacker pivots to other systems using the compromised credentials, further expanding the attack.

Impact

Successful exploitation allows attackers to gain access to sensitive Veeam backup data. This can lead to data exfiltration, data encryption, or complete data loss. The impact includes potential ransomware attacks, significant business disruption, and financial losses due to recovery efforts and downtime. The compromise of Veeam backups can severely impact an organization’s ability to recover from incidents, making it a critical target for attackers.

Recommendation

• Deploy the Sigma rule “Veeam Backup Library Loaded by Unusual Process” to your SIEM to detect suspicious DLL loads (rule.name).
• Investigate any alerts generated by the Sigma rule, focusing on the process details and execution history to determine legitimacy (rule.description).
• Enable process creation and library load logging to capture the necessary events for the Sigma rule to function correctly.
• Review and enforce code signing policies to prevent unsigned processes from loading critical libraries like Veeam.Backup.Common.dll.
• Implement multi-factor authentication for Veeam accounts to mitigate the impact of credential compromise.